Not every outsourcing firm is bad news. It depends on who brought them up. It depends to a large extent on their parenting. Like The Dog Whisperer says: "There are no bad dogs - just bad owners." This is a cautionary tale of a poor CISO driven witless by a ruthless, cost-cutting boss who falls foul of the worst traits of the mongrel outsourcing firm Offshore The Salvage IT Support company. Before I tell this sorry tale I want to say that not everyone is the same and there are exceptions to the rule. However, when you hear a story as many times as I have, you do start to generalise...
There are thousands of CISOs being held ransom by the very people who promised to take away their pain. Lured by the promise of specialised consultants managing the IT infrastructure for a fraction of the cost of doing so in-house, who wouldn't jump at the chance to outsource? Many CEOs who think they can please the shareholders with a nice fat dividend make decisions in haste - and they and their CISOs repent in leisure.
This is the tale of some who, a few years down the line, are discovering everything isn't quite as cost effective as it seems. The first warning sign tends to follow a failed audit. Let's take a look at the discussions - both said and what is actually meant, that typically follows.
Our CISO - Dave, calls his account manager at The Salvage IT Support Company - Tarquin.
Dave: Hi, is that Tarquin? Listen mate, I think there's a problem.
Tarquin: What's up?
Dave: We've just failed our audit. Apparently there's an emerging threat as hackers have found a new way in by exposing our privileged identities. The auditor's pointed out that we're not controlling our privileged accounts. Can you take a look at this for me?
Tarquin: Right, leave it with me. I'll get back to you.
Tarquin hangs up and slightly adjusts his cravat. Turning to his colleague with a glint in his eye, he says: "We've got another one. That was Dave over at UK PLC. They've just failed their audit and he wants us to solve it. Looks like my bonus for thrashing my target's well and truly in the bag. I know this won't be covered by the contract because it never is and, while the negotiations are carrying on, we'll revert to an hourly rate. He's so short staffed he won't have time to do anything himself so he'll have to trust me."
Sign up for CIO Asia eNewsletters.